New Defects reported by Coverity Scan for NetBSD-amd64-kernel

Subject: New Defects reported by Coverity Scan for NetBSD-amd64-kernel
From: scan-admin%coverity.com@localhost
Date: Thu, 10 Jul 2014 04:51:11 -0700
Hi,


Please find the latest report on new defect(s) introduced to 
NetBSD-amd64-kernel found with Coverity Scan.

Defect(s) Reported-by: Coverity Scan
Showing 7 of 7 defect(s)


** CID 274431:  Dereference null return value  (NULL_RETURNS)
/sys/kern/kern_fileassoc.c: 528 in fileassoc_file_delete()

** CID 975226:  Unchecked return value  (CHECKED_RETURN)
/sys/ufs/ffs/ffs_wapbl.c: 347 in ffs_wapbl_start()

** CID 1224963:  Explicit null dereferenced  (FORWARD_NULL)
/sys/net/bpf.c: 1394 in bpf_deliver()

** CID 1224964:  Overflowed array index read  (INTEGER_OVERFLOW)
/sys/ufs/ufs/ufs_quota2.c: 778 in quota2_handle_cmd_del()

** CID 1224965:  Missing break in switch  (MISSING_BREAK)
/sys/dev/ic/smc91cxx.c: 334 in smc91cxx_attach()

** CID 1224966:  Uninitialized pointer read  (UNINIT)
/sys/net/bpf.c: 1391 in bpf_deliver()

** CID 1225076:  Unintended sign extension  (SIGN_EXTENSION)
/sys/fs/msdosfs/msdosfs_denode.c: 291 in msdosfs_loadvnode()


________________________________________________________________________________________________________
*** CID 274431:  Dereference null return value  (NULL_RETURNS)
/sys/kern/kern_fileassoc.c: 528 in fileassoc_file_delete()
522                     return (ENOENT);
523             }
524     
525             file_free(faf);
526     
527             tbl = fileassoc_table_lookup(vp->v_mount);
>>>     CID 274431:  Dereference null return value  (NULL_RETURNS)
>>>     Dereferencing a null pointer "tbl".
528             --(tbl->tbl_nused); /* XXX gc? */
529     
530             KERNEL_UNLOCK_ONE(NULL);
531     
532             return (0);
533     }

________________________________________________________________________________________________________
*** CID 975226:  Unchecked return value  (CHECKED_RETURN)
/sys/ufs/ffs/ffs_wapbl.c: 347 in ffs_wapbl_start()
341     
342     #ifdef WAPBL_DEBUG
343                             printf("%s: enabling logging\n", fs->fs_fsmnt);
344     #endif
345     
346                             if ((fs->fs_flags & FS_DOWAPBL) == 0) {
>>>     CID 975226:  Unchecked return value  (CHECKED_RETURN)
>>>     No check of the return value of "ufs_wapbl_begin2(mp, NULL, NULL, 
>>> <anonymous>, 347)".
347                                     UFS_WAPBL_BEGIN(mp);
348                                     fs->fs_flags |= FS_DOWAPBL;
349                                     error = ffs_sbupdate(ump, MNT_WAIT);
350                                     if (error) {
351                                             UFS_WAPBL_END(mp);
352                                             ffs_wapbl_stop(mp, MNT_FORCE);

________________________________________________________________________________________________________
*** CID 1224963:  Explicit null dereferenced  (FORWARD_NULL)
/sys/net/bpf.c: 1394 in bpf_deliver()
1388         void *pkt, u_int pktlen, u_int buflen, const bool rcv)
1389     {
1390            struct timespec ts;
1391            bpf_args_t args;
1392            struct bpf_d *d;
1393     
>>>     CID 1224963:  Explicit null dereferenced  (FORWARD_NULL)
>>>     Assigning: "bc" = "NULL".
1394            const bpf_ctx_t *bc = NULL;
1395            bool gottime = false;
1396     
1397            args.pkt = (const uint8_t *)pkt;
1398            args.wirelen = pktlen;
1399            args.buflen = buflen;

________________________________________________________________________________________________________
*** CID 1224964:  Overflowed array index read  (INTEGER_OVERFLOW)
/sys/ufs/ufs/ufs_quota2.c: 778 in quota2_handle_cmd_del()
772                     goto out_dqlock;
773     
774             hash_mask = ((1 << q2h->q2h_hash_shift) - 1);
775             c.dq = dq;
776             c.id = id;
777             c.q2h = q2h;
>>>     CID 1224964:  Overflowed array index read  (INTEGER_OVERFLOW)
>>>     Overflowed or truncated value (or a value computed from an overflowed 
>>> or truncated value) "id & hash_mask" used as array index.
778             error = quota2_walk_list(ump, hbp, idtype,
779                 &q2h->q2h_entries[id & hash_mask], B_MODIFY, &c,
780                 dq2clear_callback);
781     
782             bwrite(hbp);
783     

________________________________________________________________________________________________________
*** CID 1224965:  Missing break in switch  (MISSING_BREAK)
/sys/dev/ic/smc91cxx.c: 334 in smc91cxx_attach()
328             case CHIP_91100:
329                     /*
330                      * The 91100 does not have full-duplex capabilities,
331                      * even if the PHY does.
332                      */
333                     miicapabilities &= ~(BMSR_100TXFDX | BMSR_10TFDX);
>>>     CID 1224965:  Missing break in switch  (MISSING_BREAK)
>>>     The above case falls through to this one.
334             case CHIP_91100FD:
335             case CHIP_91C111:
336                     if (tmp & CR_MII_SELECT) {
337                             aprint_normal("default media MII");
338                             if (sc->sc_chipid == CHIP_91C111) {
339                                     aprint_normal(" (%s PHY)\n",

________________________________________________________________________________________________________
*** CID 1224966:  Uninitialized pointer read  (UNINIT)
/sys/net/bpf.c: 1391 in bpf_deliver()
1385      */
1386     static inline void
1387     bpf_deliver(struct bpf_if *bp, void *(*cpfn)(void *, const void *, 
size_t),
1388         void *pkt, u_int pktlen, u_int buflen, const bool rcv)
1389     {
1390            struct timespec ts;
>>>     CID 1224966:  Uninitialized pointer read  (UNINIT)
>>>     Declaring variable "args" without initializer.
1391            bpf_args_t args;
1392            struct bpf_d *d;
1393     
1394            const bpf_ctx_t *bc = NULL;
1395            bool gottime = false;
1396     

________________________________________________________________________________________________________
*** CID 1225076:  Unintended sign extension  (SIGN_EXTENSION)
/sys/fs/msdosfs/msdosfs_denode.c: 291 in msdosfs_loadvnode()
285                     error = readep(pmp, ldep->de_dirclust, 
ldep->de_diroffset,
286                         &bp, &direntptr);
287                     if (error) {
288                             pool_put(&msdosfs_denode_pool, ldep);
289                             return error;
290                     }
>>>     CID 1225076:  Unintended sign extension  (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "le16dec(direntptr->deHighClust)" 
>>> with type "unsigned short" (16 bits, unsigned) is promoted in 
>>> "le16dec(direntptr->deHighClust) << 16" to type "int" (32 bits, signed), 
>>> then sign-extended to type "unsigned long" (64 bits, unsigned).  If 
>>> "le16dec(direntptr->deHighClust) << 16" is greater than 0x7FFFFFFF, the 
>>> upper bits of the result will all be 1.
291                     DE_INTERNALIZE(ldep, direntptr);
292                     brelse(bp, 0);
293             }
294     
295             /*
296              * Fill in a few fields of the vnode and finish filling in the


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, 
http://scan.coverity.com/projects/1447?tab=overview

To unsubscribe from the email notification for new defects, 
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Prev by Date: New Defects reported by Coverity Scan for NetBSD-i386-kernel
Next by Date: New Defects reported by Coverity Scan for NetBSD-i386-user
Previous by Thread: New Defects reported by Coverity Scan for NetBSD-amd64-kernel
Next by Thread: New Defects reported by Coverity Scan for NetBSD-amd64-kernel
Indexes:
Home | Main Index | Thread Index | Old Index